top of page

Outline of Craig Ball's Electronic Discovery Workbook - Email


Here's a continuation of my outline of the 2016 edition of Craig Ball's Electronic Discovery Workbook which I last posted about on June 9, 2017.

X. Mastering Email in Discovery

  1. Introduction

  2. Will clients attempt to conceal damaging emails?

  3. Will employees delete emails from a company’s systems?

  4. Will searches target the correct digital venues?

  5. Will review inadvertently disclose privileged communications or confidential data?

  6. Overview

  7. The average person sends and receives 123 emails each day.

  8. E-mail lodges on servers, cell phones, laptops, home systems, thumb drives and in the cloud.

  9. Most IT professionals don’t know where it’s stored or for how long.

  10. Checklist About Client Email Systems

  11. MS Exchange; Domino; or Office 365?

  12. All discoverable emails go through company’s server?

  13. Local email stores synch with system?

  14. How long email clients and server applications in use?

  15. What are the message purge, retention, journaling and archival settings for each key custodian?

  16. Can a custodian be prevented from deleting emails?

  17. Does backup system capture email stored on custodian’s desktops?

  18. Where are email container files stored?

  19. Collection and preservation methods?

  20. Home PCs used for business purposes?

  21. Instant messaging used for business?

  22. Are employee owned devices allowed to access the network?

  23. New Tools

  24. Enterprise search – search of remote email stores from central location.

  25. Email archiving - Enterprise collections collected into single repository.

  26. Reduce through single instance de-duplication; rules based journaling.

  27. Email Systems and Files

  28. Behind the firewall environment dominated by:

  29. MS Exchange Server

  30. IBM Lotus Domino

  31. Novell GroupWise (popular with government)

  32. Cloud products

  33. Google Apps

  34. MS Office 365

  35. Mail Protocols

  36. API – application protocol facilitates communication

  37. ISP email

  38. POP3 (Post Office Protocol, version 3)

  39. Now rarely used.

  40. Local

  41. IMAP (Internal Mail Access Protocol)

  42. Email client only download all headers. Downloads body only when messaged is opened.

  43. Server stored email with support for local storage.

  44. MAPI (Message Application Programming Interface)

  45. Pre-installed on Windows for basic messaging.

  46. Possible but not common to prevent storage of .pst or .ost files on local machines.

  47. HTTP (Hyper Text Transfer Protocol) –

  48. E.g. Gmail and Hotmail

  49. No local rcord.

  50. Outgoing Email: SMTP and MTA

  51. Simple Message Transfer Protocol – outgoing email.

  52. Message Transfer Agent – uses SMTP to route email over a network to its destination.

  53. Anatomy of an Email

  54. Email is a plain text file.

  55. Attachments are binary data encoded into text. May use Base64 encoding.

  1. Email Header - only the data in section A is visible to the user.

  1. "Received" or X-Received” represents the transfer of the message between two e-mail servers.

  2. Content-Type declaration distinguishes between header and body of message.

  3. Hashing and Deduplication

  4. messages contain unique identifiers, time stamps and routing data that would frustrate efforts to compare one complete message to another using hash values.

  5. Hashing emails omits the header parts with the message identifier and transit data.

  6. Local Email Storage

  7. Email may not only be found on the server but also in:

  8. Temporary Internet Files

  9. Short Message Service exchanges in smartphone synch files.

  10. Offline synch files (.ost files) on laptops.

  11. Email server

  12. File server

  13. OLK system subfolders holding viewed attachments.

  14. Nearline email – backups of user email folders

  15. Email residing on non-party servers

  16. Legacy email stores

  17. Email saved to other formats

  18. Email retained by vendors

  19. Offline on backup tapes and other media

  20. Email in forensically accessible areas.

  21. Looking for Email

  22. finding e-mail stores will hinge on your knowledge of the User’s Account Name or Globally Unique Identifier (GUID) string assigned by the operating system.

  23. .ost files - access to messages when the user has no active network connection.

  24. Every other week (by default), Outlook seeks to auto archive any Outlook items older than six months (or for Deleted and Sent items older than two months).

  25. Outlook viewed attachment folder will have a varying name for every user and on every machine, but it will always begin with the letters “OLK” followed by several randomly generated numbers and uppercase letters.

  26. The latest versions of Exchange Server and the cloud tool, Office 365, feature robust e-discovery capabilities simplifying initiation and managements of legal holds and account exports.

  27. Older versions of Exchange Server stored data in a Storage Group containing a Mailbox Store and a Public Folder Store, each composed of two files: an .edb file and a .stm file. .stm files contain SMTP messages.

  28. Since 2003 MS Exchange can collection email without interrupting its operation.

  29. ExMerge can filtering emails for export.

  30. After an email is deleted by a user, it’s retained for 30 days by default or until Exchange is backed up.

  31. Journaling is the practice of copying all e-mail to and from all users or particular users to one or more repositories inaccessible to most users.

  32. Lotus Notes

  33. Not purpose built for email messaging and calendaring. It’s a toolkit for building capabilities.

  34. .NSF archive files are constantly duplicated across the network.

  35. Must collect the .id file or may be locked out of encrypted content.

  36. Deletions of an email are replicated system wide.

  37. Web based email

  38. Gmail can be exported in a MBOX format.


bottom of page